Is your dealership located in one of these 20 states? If so, pay attention.
The California Consumer Privacy Act (CCPA) may be the first comprehensive data privacy law in the U.S., but it certainly isn’t the last. Since its passage,19 additional states have introduced and/or passed similar laws, or have amended their current breach notification laws to either expand the definitions of personal information, or to include new reporting requirements.
The purpose of these new privacy laws is to require businesses—which include the majority of auto and heavy truck dealerships—to provide consumers with control over their personal information; including the right to know what data is collected, whether that data is sold and/or shared, the option to opt out of those sales or sharing, and the right to access and/or delete their data.
Some of these new laws aim to expand consumer rights through private right of action, which means that consumers have the right to sue if your business fails to adhere to the standards set forth in these new laws.
As of July 2019, here is a roundup of states with brief summaries of their legislation:
- California. The California Consumer Privacy Act (CCPA) goes into effect January 1, 2020. This law was intended to restrict the way personal information is used, stored and shared. Dealerships will be required to notify consumers about their data collection practices and allow consumers to opt out of having their data shared with third parties. The CCPA allows consumers to bring a private right of action (a.k.a. lawsuit) against a dealership if they are a victim of an unauthorized breach of non-encrypted personal information.
- Colorado. The Colorado Consumer Protection Act (CCPA) was passed in the spring of 2019. This law makes it easier for the attorney general’s office to pursue deceptive practices. Prosecutors no longer have to prove that a business acted maliciously towards consumers, or that bad practices must cause significant harm or impact before action being taken. The law also increases the maximum violation a business can be ordered to pay from $2,000 to $20,000.
- Hawaii. SB418 is modeled after the CCPA, but has an even broader reach since it does not define a business. The proposed law does not have a private right of action or specify any penalties, and the Office of Consumer Protection is tasked with enforcing the law.
- Illinois. SB 1624 requires businesses to notify the Attorney General of breaches involving at least 500 Illinois residents.
- Louisiana. Recent changes to the Database Security Breach Notification Law expands the definition of personal information and requires notice of a security breach to all affected Louisiana residents within 60 days. Additionally, all businesses must maintain “reasonable security procedures and practices” to protect personal information. When consumer data is no longer retained for business use, reasonable steps must be taken to destroy it.
- Maine. Passed in June, 2019 An Act to Protect the Privacy of Online Customer Information currently only applies to broadband Internet service providers (ISPs).
- Maryland. The Online Consumer Protection Act is modeled after the CCPA but with more expansive consumer rights to opt-out of the sharing of any personal information to third parties. However, during the 2019 General Assembly session this bill was postponed indefinitely.
- Massachusetts. An Act Relative to Consumer Data Privacy has even stricter standards than the CCPA. Similar to Maryland’s bill, it expands consumers’ rights to opt-out of the sharing of information with third parties, and completely prohibits the sharing of information of minors under the age of 18. It also allows a private right of action for any violation of the law. This bill takes effect January 1, 2023.
- Mississippi. The Mississippi Consumer Privacy Act was almost a replica of the CCPA, but the bill died in committee in February, 2019.
- Nebraska. LB757 requires all businesses that collect Nebraska residents’ personal information to implement and maintain reasonable security procedures and practices, including safeguards for the disposal of personal information.
- Nevada. SB 220 is modeled on the CCPA with only a few deviations, but applies only to owners of Internet websites and online commercial providers. The law does not allow private right of action.
- New Jersey. A-4902 is similar to CCPA, but focuses more on the disclosure of personal identifiable information (PII) to third parties. Currently the bill applies only to owners and operators of commercial Internet websites and online services.
- New Mexico. The Consumer Information Privacy Act is modeled after the CCPA but has a broader scope due to shorter and more general definitions of the terms “business,” “consumer” and “minor.” However, this bill has been postponed indefinitely.
- New York. SB-S224 is even broader than CCPA in that the CCPA only allows private right of action for failing to take reasonable measures to secure data. The New York bill expands private right of action to additional violations such as the failure to act on a customer’s request to delete information. This means dealerships could potentially be faced with hundreds of lawsuits from consumers. The law is expected to pass in 2019.
- North Dakota. House Bill 1485 is not as strict as the CCPA, but it does prohibit the disclosure of personal information to third parties without written consent from a consumer. However, this bill has been replaced with a legislative management study with findings expected to be reported in 2021.
- Ohio. The Data Protection Act differs from the CCPA in that it provides protection against lawsuits for businesses, even in the event of a security breach, as long as the business can provide proof that it took “reasonable measures” to protect consumer data.
- Oregon. The Consumer Information Protection Act requires businesses and vendors of businesses to notify all “covered entities,” as well as the Attorney General, within 10 days of discovering a security breach, if the breach involves more than 250 consumers or if the number of individuals affected is unknown.
- Rhode Island. The Consumer Privacy Protection act is modeled after the CCPA, but as of April 2019 the bill is being held for further study.
- Texas. Effective January 1, 2020, the Texas Identity Theft Enforcement and Protection Act law will require businesses to send breach notifications to affected individuals no later than 60 days after identifying the breach, as well as to the Attorney General, provided that the breach impacts at least 250 Texas residents.
- Washington. The Washington Privacy Act is modeled after both the CCPA and the European GDPR, but does not give consumers a private right of action. The bill failed to pass in April but it’s currently in the state senate, where it has a chance to be amended.
In the next few years, expect this list of states to grow longer as well as new legislation that expands the scope of these bills. Don’t assume dead bills will never be resurrected.
It’s also important to note that there’s growing support for federal data privacy legislation. Proponents argue that the current system, with each state having its own data privacy laws, is too confusing. Several bills have been introduced to Congress by lawmakers, but so far none have passed. It’s uncertain whether federal legislation will supersede state laws.